AFCEA Cybersecurity through Continuous Monitoring: SolarWinds Survey Results and Tools Overview

627
-1

Published on

WINNER: Overall Best In Show at 2014 AFCEA® Cyber Conference Solutions Trail

In a 2014 survey by SolarWinds and Market Connections, federal government and military IT professionals stated that their biggest cybersecurity threats are people both malicious external attackers and clueless insiders. So how do Federal IT Pros prevent activity that can put their agencies security at risk and address these living cybersecurity threats when human behavior is out of their
control? Implementing continuous monitoring solutions can help federal agencies safeguard against human error and quickly identify vulnerabilities, compliance issues and other threats by automatically collecting data and reporting on the performance, availability and security posture of an IT infrastructure. While continuous monitoring of the performance of networks, applications, servers, and
more will not stop hackers from attempting to infiltrate a network or stop careless employees from accidental blunders, it can provide a first line of defense and critical insight into how the IT infrastructure is impacted. In this session you will learn: " The top cybersecurity threats plaguing agencies today and their sources " The types of continuous monitoring tools and technologies that can be leveraged by both IT operations and information security simultaneously to quickly detect and mitigate threats " How to overcome common obstacles and frustrations agencies face when implementing continuous monitoring solutions and what benefits they see upon implementation.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
627
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • AFCEA Cybersecurity through Continuous Monitoring: SolarWinds Survey Results and Tools Overview

    1. 1. AFCEA Cybersecurity through Continuous Monitoring: SolarWinds Survey Results and Tools Overview Ed Bender, Head Federal SE, SolarWinds ed.bender@solarwinds.com 410-286-3060 © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. WINNER: Overall Best In Show at 2014 AFCEA® Cyber Conference Solutions Trail
    2. 2. Agenda » 2014 Federal Cybersecurity Survey Results  Continuous monitoring status in Federal Government  ROI and observations about Continuous Monitoring » Continuous monitoring tools with “dual-use” capabilities » Q&A © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
    3. 3. © 2014 Market Connections, Inc. SolarWinds® Federal Cybersecurity Survey Summary Report March 26, 2014 SolarWinds and Market Connections, Inc.® worked together to design and conduct a blind online cybersecurity survey, sponsored by SolarWinds, among 200 federal government IT decision makers and influencers in January and February 2014.
    4. 4. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 4 Decision Making Involvement RESPONDENT CLASSIFICATIONS How are you involved in your organization’s decisions or recommendations regarding IT operations and management and IT security solutions and services? (select all that apply) • All respondents are knowledgeable or involved in decisions and recommendations regarding IT operations and management and IT security solutions and services. 8% 17% 33% 40% 41% 51% 0% 10% 20% 30% 40% 50% 60% Other involvement in IT security and/or IT operations and management solutions Make the final decision regarding IT security and/or IT operations and management solutions or contractors Develop technical requirements for IT security and/or IT operations and management solutions Evaluate or recommend firms offering IT security and/or IT operations and management solutions Manage or implement security and/or IT operations and management solutions On a team that makes decisions regarding IT security and/or IT operations and management solutions N=200 Note: Multiple responses allowed
    5. 5. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 5 Continuous Monitoring Plan CONTINUOUS MONITORING IMPLEMENTATION • Two-thirds report having implemented at least one continuous monitoring solution. • The majority of those who have not started planning report it is due to budget constraints. How well equipped is your agency to support federal government (ex. OMB mandate, DISA STIG, etc.) continuous monitoring requirements? What are the reasons that you have not started planning to implement continuous monitoring? (select all that apply) 13% 4% 20% 63% 0% 20% 40% 60% 80% 100% Don’t know We have not started planning We are planning to implement continuous monitoring We have implemented at least one continuous monitoring solution Supporting Requirements Non-users 37% 14% 0% 29% 43% 86% 0% 20% 40% 60% 80% 100% Other Lack of top-level direction and leadership Competing priorities and other initiatives Lack of manpower Budget constraints Reasons for Not Planning N=200 N=7
    6. 6. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 6 Return on Investment CONTINUOUS MONITORING IMPLEMENTATION • Nearly half of respondents have measured the return on investment of continuous monitoring and report it is paying off nicely. • Of those planning to implement continuous monitoring, the majority plan to measure its return on investment once implemented. Have you measured the return on your investment in using continuous monitoring? Once implemented, do you plan to measure the return on your investment in using continuous monitoring? 4% 38% 9% 49% 0% 10% 20% 30% 40% 50% 60% No, but we feel we aren’t getting a payoff from the technology No, but we feel we’re getting our money’s worth Yes, and we’re disappointed in the results Yes, it’s paying off nicely Have Measured Return on Investment 59% 10% 31% Plan to Measure ROI Once Implemented Yes No Unsure at this time N=125 N=39
    7. 7. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 7 Continuous Monitoring Benefits CONTINUOUS MONITORING IMPLEMENTATION What do you perceive as the top three benefits to comprehensive continuous monitoring? (select three) Note: Multiple responses allowed 5% 2% 11% 11% 14% 16% 26% 31% 31% 33% 47% 69% 0% 20% 40% 60% 80% Not sure Other Increased technical collaboration with various functional areas Automated “Score Card” report on compliance by functional area Reduction in “Data Calls” Reduced labor costs Automated compliance reports More timely visibility into results of compliance efforts Increased visibility into current IT configurations Keeping up with the latest compliance requirements Keeping up with the newest vulnerabilities More timely awareness of real-time vulnerabilities • The majority perceive more timely awareness of real-time vulnerabilities as the top benefit to comprehensive continuous monitoring. = statistically significant difference Defense Civilian Keeping up with the newest vulnerabilities 56% 40% N=200
    8. 8. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 CYBERSECURITY OBSTACLES, THREATS, & EVENTS 8 How would you describe your agency’s overall cybersecurity readiness? Cybersecurity Readiness • The majority describe their agency’s overall cybersecurity readiness as good or excellent. A significantly greater proportion of defense agency respondents as well as respondents that use continuous monitoring rate their readiness as excellent. 2% 5% 50% 44% 0% 10% 20% 30% 40% 50% 60% Not sure Poor – we are lacking the necessary tools, process Good – some tools, processes or polices are in place and/or some may need updating Excellent – we have the appropriate tools, processes and policies in place = statistically significant difference Continuous Monitoring User Non- User Excellent 54% 28% Good 44% 60% Poor 2% 9% Defense Civilian Excellent 54% 37% N=200
    9. 9. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 9 IT Security Obstacles CYBERSECURITY OBSTACLES, THREATS, & EVENTS • Respondents most often consider budget constraints as the single most significant high-level obstacle to maintain or improve IT security. What is the single most significant high-level obstacle to maintain or improve IT security at your agency? 4% 2% 4% 5% 6% 8% 14% 19% 40% 0% 10% 20% 30% 40% 50% Other Lack of technical solutions available at my agency Lack of clear standards Lack of training for personnel Lack of top-level direction and leadership Lack of manpower Complexity of internal environment Competing priorities and other initiatives Budget constraints N=200
    10. 10. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 10 Tool Implementation Frustrations CYBERSECURITY OBSTACLES, THREATS, & EVENTS What are the biggest frustrations an IT manager in your agency faces in implementing cyber security tools? (select all that apply) Note: Multiple responses allowed 2% 9% 12% 18% 20% 23% 26% 26% 29% 29% 32% 42% 63% 0% 10% 20% 30% 40% 50% 60% 70% Other Agency does not enforce compliance Insufficient or inflexible reporting Difficult to update for emerging threats Lack of executive buy-in on importance of compliance Hidden operations costs Difficult to implement and/or operate High cost of training Expensive to upgrade Difficult to update due to evolving compliance requirements Expensive to maintain Organizational issues or turf battles Lack of budget • The majority report lack of budget is the biggest frustration an IT manager faces in implementing cyber security tools. Continuous Monitoring User Non- User Lack of executive buy-in on importance of compliance 14% 29% = statistically significant difference N=200
    11. 11. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 9% 6% 3% 6% 18% 20% 25% 29% 36% 37% 46% 50% 0% 10% 20% 30% 40% 50% 60% Unsure if cyber threats plague my agency No cyber threats plague my agency Other APT Physical security attacks Mobile device theft Denial of service Insider data leakage/theft SPAM Social engineering Malware External hacking 11 Cybersecurity Threats CYBERSECURITY OBSTACLES, THREATS, & EVENTS • External hacking and malware are the overall top cybersecurity threats plaguing agencies. What types of cybersecurity threats are plaguing your agency? (select all that apply) Note: Multiple responses allowed Continuous Monitoring User Non- User External hacking 57% 37% = statistically significant difference Defense Civilian Insider data leakage/theft 41% 21% Mobile device theft 12% 25% Physical security attacks 25% 13% N=200
    12. 12. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 12 Security Threat Sources CYBERSECURITY OBSTACLES, THREATS, & EVENTS • The general hacking community and careless/untrained insiders are the largest sources of security threats at agencies. What are the largest sources of security threats to your agency? (select all that apply) Note: Multiple responses allowed 9% 4% 3% 6% 11% 17% 21% 26% 34% 42% 47% 0% 10% 20% 30% 40% 50% Unsure if these threats plague my agency None of the above plague my agency Other Industrial spies For-profit crime Malicious insiders Terrorists Hacktivists Foreign governments Careless/untrained insiders General hacking community = statistically significant difference Defense Civilian General hacking community 35% 55% Careless/untrained insiders 53% 35% Foreign governments 48% 24% Terrorists 31% 13% Malicious insiders 26% 10% N=200
    13. 13. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 13 Security Investment Priorities CYBERSECURITY OBSTACLES, THREATS, & EVENTS For each of the following security practices and/or technologies, please indicate your organization’s priority level for investing resources in the next 12 months. 4% 3% 5% 4% 2% 4% 3% 4% 2% 1% 1% 1% 0% 1% 1% 1% 1% 4% 6% 4% 5% 6% 3% 3% 3% 3% 25% 24% 24% 22% 21% 22% 21% 19% 17% 67% 68% 68% 70% 71% 71% 73% 74% 78% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Vulnerability management Improving system defenses e.g. anti-virus, HIPS Database security Network configuration security compliance continuous monitoring Identity and access management Server security and compliance continuous monitoring Improving general network defenses e.g., firewalls, secure gateways Firewall configuration and security continuous monitoring Intrusion detection and prevention Not sure 1 Not a priority 2 Low priority 3 Medium priority 4 & 5 High or essential priority N=200 • Firewall configuration and security continuous monitoring are the top essential priorities for investing resources in the next 12 months. AVG 4.19 4.19 4.10 4.11 4.02 4.10 4.02 4.04 4.00
    14. 14. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 14 Security Investment Priorities (Continued) CYBERSECURITY OBSTACLES, THREATS, & EVENTS For each of the following security practices and/or technologies, please indicate your organization’s priority level for investing resources in the next 12 months. 7% 5% 4% 4% 3% 3% 5% 4% 4% 2% 5% 3% 1% 3% 5% 3% 1% 1% 10% 14% 10% 6% 12% 12% 11% 7% 7% 34% 25% 27% 33% 25% 23% 23% 25% 25% 49% 52% 58% 58% 58% 58% 60% 64% 65% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Log management Improving mobile device security (mobile policy enforcement, etc.) Implementing technologies and processes to monitor user activity Patch management Secure remote systems administration Technologies and processes to monitor and block use of removable media (USB, etc.) Secure document sharing Implementing technologies and processes to monitor information system activity Security information and event management Not sure 1 Not a priority 2 Low priority 3 Medium priority 4 & 5 High or essential priority N=200 AVG 3.88 3.93 3.73 3.70 3.72 3.81 3.70 3.55 3.58
    15. 15. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 15 Security Investment Priorities (Continued) CYBERSECURITY OBSTACLES, THREATS, & EVENTS • Continuous monitoring users indicate that most practices and technologies are of essential priority investments significantly more than non-users. For each of the following security practices and/or technologies, please indicate your organization’s priority level for investing resources in the next 12 months. 5 - Essential Continuous Monitoring User Non-User Firewall configuration and security continuous monitoring 53% 33% Intrusion detection and prevention 52% 31% Improving system defenses e.g. anti-virus, HIPS 46% 32% Network configuration security compliance continuous monitoring 46% 31% Database security 44% 17% Vulnerability management 41% 25% Technologies and processes to monitor and block use of removable media (USB, etc.) 37% 23% Secure remote systems administration 36% 20% Security information and event management 34% 20% Patch management 33% 19% = statistically significant difference
    16. 16. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 16 Security Event Detection CYBERSECURITY OBSTACLES, THREATS, & EVENTS How long does it typically take your organization to detect and/or analyze to the following types of security events or compliance issues? 25% 25% 27% 31% 32% 37% 40% 22% 29% 25% 23% 23% 27% 19% 24% 20% 18% 15% 14% 13% 16% 13% 12% 12% 14% 13% 10% 13% 1% 1% 3% 1% 3% 2% 4% 16% 14% 17% 17% 17% 12% 10% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Firewall rules out of compliance New malware variant Compromised account External data breach Misuse/abuse of credentials Rogue device on network Inappropriate internet access by insiders Within minutes Within hours Within one day More than one day No ability to detect Don’t know/unsure • Respondents report most often that inappropriate internet access by insiders can be detected within minutes. N=200
    17. 17. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 17 Security Event Detection (Continued) CYBERSECURITY OBSTACLES, THREATS, & EVENTS • Inappropriate sharing of documents is reported least as being able to be detected within minutes. How long does it typically take your organization to detect and/or analyze to the following types of security events or compliance issues? 14% 17% 17% 18% 20% 23% 22% 24% 25% 30% 28% 30% 11% 20% 16% 20% 21% 16% 22% 15% 19% 20% 17% 12% 14% 5% 5% 4% 2% 3% 18% 20% 19% 10% 13% 17% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Inappropriate sharing of documents Data leakage Non-Windows system configurations out of compliance Windows system configurations out of compliance Network device configurations out of compliance Spear-phishing Within minutes Within hours Within one day More than one day No ability to detect Don’t know/unsure N=200
    18. 18. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 18 Security Event Detection (Continued) CYBERSECURITY OBSTACLES, THREATS, & EVENTS • Continuous monitoring users indicate detecting and analyzing most security events or compliance issues within minutes significantly more than non-users. How long does it typically take your organization to detect and/or analyze to the following types of security events or compliance issues? = statistically significant difference Within Minutes Continuous Monitoring User Non-User Inappropriate internet access by insiders 46% 29% Rogue device on network 46% 23% Misuse/abuse of credentials 37% 23% Compromised account 34% 15% Firewall rules out of compliance 30% 16% Windows system configurations out of compliance 23% 8% Data leakage 22% 8%
    19. 19. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Survey Results: Biggest Surprises » No statistically significant difference between “IT Operations” and “IT Security” » 47% had 15+ years at their agency » 87% either know or feel they are getting ROI from Continuous Monitoring investment » 42% list "organizational issues or turf battles" as a top Tool Implementation Frustration (second only to lack of budget) 19
    20. 20. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. IT Security Challenges from Survey Data » Budget constraints >>> Tools affordable » Competing priorities >>> Tools provide cross-functional value » Turf Battles >>> Tools provide inter-departmental value » Complexity of internal environment >>> Tools easy to implement » Lack of manpower >>> Tools easy to operate and maintain » Evolving compliance requirements >>> Tools easily customizable 20 Continuous Monitoring Tools Should Address These Challenges
    21. 21. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. IT Ops Has Been Doing Continuous Monitoring For Many Years… and So Has InfoSec » IT Operations people know that continuously monitoring their infrastructure is critical to their success:  Performance monitoring  Availability monitoring  Change management » InfoSec has been driving the use of automated tools for continuous monitoring for their success:  Compliance monitoring  Security monitoring  Change monitoring  Log monitoring 21 Can we avoid duplication of effort?
    22. 22. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Get Dual Use Out of Your IT Operations Tools » IT operations is already collecting configuration data » InfoSec needs the same data, but different reports from that data » Why not look for tools that can satisfy both teams simultaneously?  Reduce purchase costs  Reduce operations and maintenance costs  Increase cross-functional and inter-departmental cooperation 22
    23. 23. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Some Examples of Dual Use Tools » Network Configuration Manager (NCM) » Firewall Security Manager (FSM) » Log & Event Manager (LEM) » User Device Tracker (UDT) » Server & Application Monitor (SAM) 23
    24. 24. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Compliance Dashboard - Network Configuration Manager (NCM) 24
    25. 25. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Fed Compliance Details - Network Configuration Manager (NCM) for DISA STIG / FISMA NIST 25
    26. 26. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Ios Version Numbers DATA CALL – Network Configuration Manager (NCM) 26
    27. 27. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. DATA CALL True Story – “Dual Use” of NCM » Very specific issue was discovered:  Particular class of Cisco Devices  Running a very specific card  With a very specific code base » Agency IT Execs start discussing a project to identify impacted devices among the thousands of Cisco devices » SolarWinds NCM user hears about the problem  Runs NCM Inventory report to identify the handful of devices  Discovery problem solved 27
    28. 28. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Fed Compliance – Firewall Security Manager (FSM) – Security Checks against STIG Catalog 28
    29. 29. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Fed Compliance – Firewall Security Manager (FSM) – Security Audit mapped to STIG Profile 29
    30. 30. Log Management/SIEM including File Integrity Monitoring – Log & Event Manager (LEM) © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.30
    31. 31. Log & Event Manager (LEM) – Collect Log Data from Multiple Devices © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.31
    32. 32. Log & Event Manager (LEM) – Customize Rules for Alerting and Automatic Action © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.32
    33. 33. User Device Tracker (UDT) – Rogue and Watched Devices © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.33 Rogue Devices Watched Devices
    34. 34. User Device Tracker (UDT) – Wireless Users Both Real Time and Historical © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.34
    35. 35. Server & Application Monitor (SAM) – Asset Inventory includes: Software, Drivers, Firmware © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.35 Installed Driver Versions Firmware Version
    36. 36. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. SAM – Gathers Asset Tags and Server Serial Numbers and Intrusion Data 36 Chassis Intrusion Detection Dell® Service Tag for ESX® Server
    37. 37. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Q&A & More » Questions? » SolarWinds Federal Cybersecurity Survey: Visit the Resource Center on SolarWinds.com or click the links to access:  Full survey data  Infographic  Whitepaper » Contact Us:  Call the Federal team: 877-946-3751  Email: federalsales@solarwinds.com  Email our Government Reseller DLT: solarwinds@dlt.com  Visit our website: http://www.solarwinds.com/federal  Download a free trial: http://www.solarwinds.com/downloads/  Twitter: @SolarWinds_Gov
    38. 38. © 2014 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Thank You! The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide, LLC, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks, registered or pending registration in the United States or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or are trademarks or registered trademarks of their respective companies.

    ×